search

brikis98 / infrastructure-as-code-talk

Sample code for the talk "Infrastructure-as-code: running microservices on AWS with Docker, ECS, and Terraform"
http://www.ybrikman.com/writing/2016/03/31/infrastructure-as-code-microservices-aws-docker-terraform-ecs/
573 stars 163 forks source link

change to label, update alpine to newer version #11

Closed utf18 closed 7 years ago

utf18 commented 7 years ago

Hey there,

i would suggest you change rails to ruby, since they no longer maintain it. I removed the update part in the Dockerfile, IMHO bad practice :)

Additionally i would love to see some links or documentation in the Docker Hub Repo to this Github repo.

greetings

brikis98 commented 7 years ago

Thanks for the fixes!

Why do you think the update is a bad practice?

utf18 commented 7 years ago

Hey there,

i think you should rely on the specific tags to ensure a consistent image build. If you build it today with tag 3.6 and update the packages which are available today, and you build it again in, let's say 2 weeks, then the images will differ. This is something i would want to avoid. Since they are backporting packages in the "major" tags 3.4|3.5|3.6, one can ignore this, but you do increase the layers of your image, with the update.

I would refine my wording and say it's not "bad" practice, but not a good one either IMHO :)

But i am open to any suggestions, if you are not on my page on this one ;)

greetz

Benjamin

brikis98 commented 7 years ago

Ah, yes, that's a bit of a trade-off between reproducibility and security. My setting fixed versions on everything and avoiding update, you ensure that every build is identical. The downside is that security vulnerabilities are found all the time, so your reproducible build may end up reproducibly vulnerable :)

There's no simple answer there, but in production code, I try to use the latest patch version of programming languages, frameworks, web servers, OS's, DBs, and other tools that are likely to have important vulnerabilities; for everything else, a fixed version is fine. Of course, this repo is just sample code for a talk, so I don't think it matters as much here, but running update is probably a safer bet.

utf18 commented 7 years ago

sure :)

For most of the time it is better to select the workflow that is best fitting for the task, instead of just going after the book. ;)

i would then suggest we add the update part again.

brikis98 commented 7 years ago

OK, I put the --update upgrade back. Merging now. Thanks!